Invoice Ninja Stored Cross-Site Scripting Vulnerability in Product Notes

A stored cross-site scripting vulnerability has been identified in Invoice Ninja versions prior to 5.13.4. The issue arises in the product notes field, which allows raw HTML through Markdown rendering. This unfiltered input enables the execution of malicious scripts. The vulnerability was introduced because the Markdown parser output was not properly sanitized before being incorporated into invoice templates.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the invoice. This could lead to session hijacking, account takeover, or data exfiltration.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and create or edit a product. In the product notes field, enter a script injection payload, such as an image tag with an 'onerror' event. After saving the product, add it to an invoice and preview the invoice. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Invoice Ninja version 5.13.4 or later, where this vulnerability has been fixed by adding the necessary output sanitization.